Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

This tutorial describes how to join an Ubuntu machine into a Samba4 Active Directory domain in order to authenticate AD accounts with local ACL for files and directories or to create and map volume shares for domain controller users (act a as file server).

2. On the next step, open and manually edit your machine network settings with the proper IP configurations. The most important settings here are the DNS IP addresses which points back to your domain controller.

Edit /etc/network/interfaces file and add dns-nameservers statement with your proper AD IP addresses and domain name as illustrated on the below screenshot.

Also, make sure that the same DNS IP addresses and the domain name are added to /etc/resolv.conf file.

Configure Network Settings for AD

On the above screenshot, 192.168.1.254 and 192.168.1.253 are the IP addresses of the Samba4 AD DC and Tecmint.lan represents the name of the AD domain which will be queried by all machines integrated into realm.

3. Restart the network services or reboot the machine in order to apply the new network configurations. Issue a ping command against your domain name in order to test if DNS resolution is working as expected.

The AD DC should replay with its FQDN. In case you have configured a DHCP server in your network to automatically assign IP settings for your LAN hosts, make sure you add AD DC IP addresses to the DHCP server DNS configurations.

# systemctl restart networking.service
# ping -c2 your_domain_name

4. The last important configuration required is represented by time synchronization. Install ntpdate package, query and sync time with the AD DC by issuing the below commands.

The winbind use default domain parameter causes winbind service to treat any unqualified AD usernames as users of the AD. You should omit this parameter if you have local system accounts names which overlap AD accounts.

8. Now you should restart all samba daemons and stop and remove unnecessary services and enable samba services system-wide by issuing the below commands.

14. In order to authenticate on Ubuntu machine with domain accounts you need to run pam-auth-update command with root privileges and add all the entries required for winbind service and to automatically create home directories for each domain account at the first login.

Check all entries by pressing [space] key and hit ok to apply configuration.

$ sudo pam-auth-update

Authenticate Ubuntu with Domain Accounts

15. On Debian systems you need to manually edit /etc/pam.d/common-account file and the following line in order to automatically create homes for authenticated domain users.

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Authenticate Debian with Domain Accounts

16. In order for Active Directory users to be able to change password from command line in Linux open /etc/pam.d/common-password file and remove the use_authtok statement from password line to finally look as on the below excerpt.

password [success=1 default=ignore] pam_winbind.so try_first_pass

Users Allowed to Change Password

17. To authenticate on Ubuntu host with a Samba4 AD account use the domain username parameter after su – command. Run id command to get extra info about the AD account.

$ su - your_ad_user

Find AD User Information

Use pwd command to see your domain user current directory and passwd command if you want to change password.

18. To use a domain account with root privileges on your Ubuntu machine, you need to add the AD username to the sudo system group by issuing the below command:

$ sudo usermod -aG sudo your_domain_user

Login to Ubuntu with the domain account and update your system by running apt-get update command to check if the domain user has root privileges.

Add Sudo User Root Group

19. To add root privileges for a domain group, open end edit /etc/sudoers file using visudo command and add the following line as illustrated on the below screenshot.

%YOUR_DOMAIN\your_domain\ group ALL=(ALL:ALL) ALL

Add Root Privileges to Domain Group

Use backslashes to escape spaces contained into your domain group name or to escape the first backslash. In the above example the domain group for TECMINT realm is named “domain admins”.

The preceding percent sign (%) symbol indicates that we are referring to a group, not a username.

20. In case you are running the graphical version of Ubuntu and you want to login on the system with a domain user, you need to modify LightDM display manager by editing /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, add the following lines and reboot the machine to reflect changes.

greeter-show-manual-login=true
greeter-hide-users=true

It should now be able to perform logins on Ubuntu Desktop with a domain account using either your_domain_username or [email protected]_domain.tld or your_domain\your_domain_username format.

I reinstalled libnss and libpam and winbind packages. from then on the ownership permissions are changed instead of domain users it shows “rtcarchivingdomainservices“. Could anyone please help me on this?

Or do let me know how to unjoin from domain without affecting the permissions for previous users in that machine.